While the internet has been taking well to IPv6 deployment, the same cannot be said for the domain name system’s authenticity mechanism, DNSSEC. It is currently only available on somewhere just south of ten percent of all registered domains. And, being the ‘be the change you wish to see’ kind of guy that I am, I decided to roll out DNS authentication for this site. Not the least of which because I do supply downloads containing executable software, as simple they may be.
Those running anonymized DNS resolution may not be able to take advantage of this, but it is there for the more surface level dnsmasq and unbound configurations (or wherever else DNSSEC authentication may be possible). I was also intending to disable information leaks through OCSP stapling, and delightedly found it already disabled in my configs.
OCSP response: no response sent
Anyway, it seems Let’s Encrypt already has us covered this year even if I hadn’t.
We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor’s particular IP address.
Through 2025, solutions will continue to be a focus at Wronthink over lambasting enshittified technologies, a temptation I find almost too difficult to resist. Not to worry, those who enjoy the more mean spirited content, no doubt 2025 will bring a new crop of proprietary idiocy at which to point and laugh derisively.